Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Accessing an internal resource from the Internet

I want to allow users from the Internet to access a web server on my private network. I am PAT'ing all my inside users to my public IP for outbound connectivity. In a PIX I know I must allow the outside user through the "outside" access-list and create a static NAT statement. Other than using a route-map is there another way to map a user from the Internet to an internal server?

Thanks in advance!

4 REPLIES
Hall of Fame Super Gold

Re: Accessing an internal resource from the Internet

Anthony

I am not clear from your question whether you do have a PIX or are just comparing your situation with what you know you need to do on a PIX. Can you clarify?

As you recognize, when you want to allow users from the Internet to access a server inside your network you need to have a consistent translation of the internal address to some externally reachable address. Static NAT is usually the solution. It gets tricky when you are using PAT.

HTH

Rick

New Member

Re: Accessing an internal resource from the Internet

Rick,

Thanks for the quick reply!

I failed to mention that I am using an 831 router. I will upload my config.

Thanks again!

New Member

Re: Accessing an internal resource from the Internet

+++++++++ MY CONFIG ++++++++

831#sh run

Building configuration...

Current configuration : 2884 bytes

!

! Last configuration change at 10:31:08 EDT Tue Aug 29 2006

! NVRAM config last updated at 17:11:02 EDT Mon Aug 28 2006

!

version 12.2

service nagle

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime

service timestamps log datetime msec

service password-encryption

!

hostname 831

!

logging buffered warnings

enable secret 5

!

clock timezone EST -5

clock summer-time EDT recurring

ip subnet-zero

no ip source-route

no ip domain lookup

ip dhcp excluded-address 10.10.10.1

!

ip dhcp pool CLIENT

import all

network 10.10.10.0 255.255.255.0

default-router 10.10.10.1

dns-server 212.x.5.x

lease 0 2

!

ip cef

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

ip audit notify log

ip audit po max-events 100

!

!

!

!

interface Ethernet0

description $FW_INSIDE$

ip address 10.10.10.1 255.255.255.0

ip nat inside

no cdp enable

hold-queue 32 in

hold-queue 100 out

!

interface Ethernet1

description $FW_OUTSIDE$

ip address dhcp

ip access-group 103 in

ip nat outside

ip inspect SDM_LOW out

!

ip nat inside source route-map SDM_RMAP_1 interface Ethernet1 overload

ip classless

no ip http server

!

!

access-list 1 permit 166.7.9.112

access-list 1 permit 10.10.10.0 0.0.0.255

access-list 102 permit ip 10.10.10.0 0.0.0.255 any

access-list 103 remark SDM_ACL Category=1

access-list 103 permit udp any any eq bootpc

access-list 103 permit gre host 6.166.18.194 any

access-list 103 permit udp host 26.17.95.122 any eq tftp

access-list 103 permit tcp host 26.17.95.122 any eq telnet

access-list 103 permit udp host 26.17.95.122 any eq ntp

access-list 103 deny ip 10.0.0.0 0.255.255.255 any

access-list 103 deny ip 172.16.0.0 0.15.255.255 any

access-list 103 deny ip 192.168.0.0 0.0.255.255 any

access-list 103 deny ip 127.0.0.0 0.255.255.255 any

access-list 103 deny ip host 255.255.255.255 any

access-list 103 deny ip host 0.0.0.0 any

access-list 103 deny ip any any log

route-map SDM_RMAP_1 permit 1

match ip address 102

!

banner login ^C

This device is private property. Unauthorized access is not permitted. If you are unauthorized to access this device, you MUST disconnect immediately. All access to this device is logged. ^C

!

line con 0

password 7

no modem enable

stopbits 1

line aux 0

stopbits 1

line vty 0 4

access-class 1 in

exec-timeout 120 0

password 7

login

length 0

!

scheduler max-task-time 5000

sntp server 132.163.4.101

end

Hall of Fame Super Bronze

Re: Accessing an internal resource from the Internet

Anthony,

What ports do you want to forward from the internal IP ?

EDIT:

I read the original post and I see you have a webserver.

This IP NAT statement should take care of the HTTP requests.

ip nat inside source static tcp [webserverIP] 80 interface Ethernet1 80

You will also need to allow port 80 on ACL 103 for that webserver

238
Views
0
Helpful
4
Replies
CreatePlease to create content